Yellow Dog Linux updates proftp, wu-ftp, and beroftp

Dan Burcaw writes:

The Yellow Dog Linux Security Team has just released three packages which fix recently discovered security vulnerabilities.

Packages: proftpd, wu-ftpd, beroftpd
Date: August 29, 1999
Due to insufficient bounds checking on directory name lengths which can be supplied by users, it is possible to overwrite the static memory space of the ftp daemon while it is executing under certain configurations. By having the ability to create directories and supplying carefully designed directory names to the ftp server, users may gain privileged access. This vulnerability may allow local & remote users to gain root privileges.

Thanks goes out to the wu-ftpd development group and the members of BugTraq for discovering and fixing this problem.

proftpd is the default FTP server installed with Yellow Dog Linux. You only need to upgrade it unless you have manually installed either wu-ftpd or beroftpd from the extras directory.

Urgency: HIGH
Solution: rpm -Uvh <file>






Be sure to restart inetd once you have upgraded your ftp server. You can do this by executing the following as root: /etc/rc.d/init.d/inet restart

Here are the md5 checksums of the update packages, please verify these before installing the new packages by running: md5sum <file>

220b153493412610e4a18a182d737253 RPMS/proftpd-1.2.0pre3-2.ppc.rpm
de83eaf2620afe25e3d5104735f5c7de extras/RPMS/wu-ftpd-2.5.0-2.ppc.rpm
ef70b8d6c87aa7c201764f683d0106f2 extras/RPMS/beroftpd-1.3.4-1.ppc.rpm

Users of Champion Server 1.0 can also, and are strongly advised to upgrade their ftp server.

More information can be found from our errata page at:


Yellow Dog Linux for Apple G3 and PowerPC
email: [email protected]
website: http://www.yellowdoglinux.com/